There’s Nothing New in IT

Ok, I’ll admit the headline might be a bit much. Especially as we’re now in a world where automation is king (really, stop hand cranking stuff!) and mobile devices are everywhere. However, when you’ve recently spent some time writing VBScript, you do have to wonder. Although thankfully the Pascal books are still gaining dust on the shelves!

The thing is, it’s not just my small world we’ve seen old things come back. Take a look at the ImageTragick bug that’s recently got some attention. It’s a really old fashioned type of security issue in a library you probably didn’t even realize you were using.

At its simplest, it’s possible to inject and run commands through an image file. By abusing the mechanism ImageMagick has for loading files linked from other image files, you can get the process to inadvertently run commands. At that point, you’re pretty well screwed.

Now there are a number of workarounds for this problem. That said, you can’t always protect against these things. I could tell you of software the developer admitted needed domain admin credentials to perform basic authentication (we were a little lost by that bit!) but couldn’t have a complex password. Mainly because it was doing the equivalent of “echo password | ad commands” as the local root. Ignoring the regular phone home requirement, it was enough to make us think twice about deploying the tool.

Staying with the security thread, take a look at the Full Disclosure mailing list. SQL injection vulnerabilities still make regular appearances. If you don’t know what they are, they take advantage of the “plain English” like language used to access databases. Let’s pretend you’ve got a login form that uses the following SQL:

SELECT * FROM users WHERE username = ‘value’ and password = ‘value’;

In most cases, it’ll match on a username and password. Let’s say I put “admin’;–” into your username field. With no protection in place, it’ll match on the admin user. Whoops!

There are many protections against this such as parameterised queries. While I don’t expect these issues to completely die out, I’d hope to see less of them. Especially as we’re now in an age where automated SQL injection attack tools exist.

All this is ignoring cases where security measures were purposefully defeated by the implementers. For example, I recently read a good article on how leaving iSCSI exposed and unprotected is a really bad move. I’ve also seen in person where full disk encryption was deployed (a good thing). However, the break glass user, needed to get back in if things go wrong, had a username matching that of the software used and a password that was the same in “leet speak”. Kinda defeats the point and thankfully has since been changed!

It’s not only security where the old keeps popping back up. Ignoring the Novell Netware you occasionally still see in deployment and even the DOS playout system I was supporting in 2010, I’ve recently been tasked with controlling an RDS encoder using serial over an IP link. On the up side, at least I’m not having to crack out the DTMF decoder this time round (“biddle-bip”).

And that’s got me wondering, what old systems, issues and technologies are you still seeing in active service?